NATO verurteilt iranischen Cyberangriff auf Albanien

/0 Comments/in , /by

Die NATO und ihr Generalsekretär Jens Stoltenberg haben am Donnerstag (9. September) den iranischen Cyberangriff auf Albanien verurteilt, dem zufolge das Land am Mittwoch seine Beziehungen zu Teheran abgebrochen und alle iranischen Diplomat:innen ausgewiesen hatte.

Der Cyberangriff, der von internationalen Expert:innen als äußerst fachmännisch eingeschätzt wird, hatte am 15. Juli alle albanischen Regierungsseiten und Online-Portale lahmgelegt.

Albaniens Premierminister Edi Rama kündigte am Mittwoch an, dass alle iranischen Diplomat:innen bis Donnerstagnachmittag ausreisen müssten, und beendete damit die sich stetig verschlechternden Beziehungen zwischen den beiden Ländern.

In einem Beitrag auf Twitter erklärte Stoltenberg, dass die NATO sich verpflichtet habe, die Sicherheit weiter zu erhöhen, um die Cyber-Bedrohung einzudämmen.

„Ich verurteile den jüngsten Cyberangriff auf Albanien, den Tirana und andere Verbündete dem Iran zuschreiben, aufs Schärfste. Die Expert:innen der NATO und ihrer Verbündeten leisten Unterstützung. Die NATO ist entschlossen, die Sicherheit zur Abschreckung und Verteidigung gegen Cyber-Bedrohungen weiter zu erhöhen“, sagte Stoltenberg.

Zudem veröffentlichte die NATO eine ausführliche Erklärung, in der sie Stoltenbergs Worte aufgriff und hinzufügte: „Wir werden auch in Zukunft unsere Wachsamkeit gegenüber bösartigen Cyber-Aktivitäten erhöhen und uns gegenseitig bei der Abschreckung, Verteidigung und Bekämpfung des gesamten Spektrums von Cyber-Bedrohungen unterstützen, indem wir auch mögliche kollektive Reaktionen in Betracht ziehen.“

Iran weist Vorwürfe zurück

Zum Zeitpunkt der Veröffentlichung dieses Artikels befindet sich das diplomatische Personal am internationalen Flughafen von Tirana und wartet auf seinen Abflug.

Der Sprecher des iranischen Außenministeriums, Nasser Ka’nani, wies die Anschuldigungen zurück und bezeichnete sie als haltlos.

„Als eines der Länder, die Cyberangriffe auf ihre kritische Infrastruktur erlebt haben, lehnt die Islamische Republik Iran jegliche Nutzung des Cyberspace als Mittel zum Angriff auf die Infrastruktur anderer Länder ab und verurteilt sie“, sagte der Sprecher.

In Anspielung auf die USA und Israel fügte er hinzu, dass Albanien von Drittparteien, die den Terrorismus unterstützen, beeinflusst worden sei.

Albanien ist die Heimat der MEK-Gruppe (People’s Mojahedin Organisation of Iran), die 1965 gegründet wurde, um sich dem von den USA unterstützten Schah Mohammad Reza Pahlavi entgegenzustellen. Seit den 1970er Jahren führte sie bewaffnete Kämpfe gegen den iranischen Staat, bis sie ein Bündnis mit dem Irak einging und sich während des irakisch-iranischen Krieges auf dessen Seite stellte.

Die MEK wurde in der Vergangenheit von der EU, Kanada, den USA und Japan als terroristische Organisation eingestuft, was jedoch inzwischen aufgehoben wurde. Im Jahr 2004 wurde ihr von der US-Regierung Schutz im Rahmen der Genfer Konvention zugesichert.

Ziel der Gruppe ist es, die iranische Regierung zu stürzen. Berichten zufolge leben etwa 1.000 Mitglieder in einem geschlossenen, schwer bewachten Lager 40 Kilometer außerhalb von Tirana.

EU-Politiker:innen haben dem MEK-Lager in Albanien Unterstützung angeboten.

Im Jahr 2018 wies die albanische Regierung zwei iranische Diplomaten, darunter den Botschafter, wegen „Schädigung der nationalen Sicherheit“ und angeblicher Beteiligung an der Planung eines Angriffs auf ein Fußballspiel zwischen Israel und Albanien aus.

Oppositionsmitglieder kritisierten die albanische Regierung dafür, dass sie angesichts der steigenden Bedrohungen durch Cyberkriminalität nicht besser vorbereitet sei. Sie sagten jedoch auch, dass das Land kein Ziel wäre, würde es nicht die MEK beherbergen.

 

NATO verurteilt iranischen Cyberangriff auf Albanien

Japan’s cyber-security minister has ‘never used a computer’

/0 Comments/in , /by

Yoshitaka Sakurada said his lack of experience with computers should not pose a problem

Japan’s new cyber-security minister has dumbfounded his country by saying he has never used a computer.

Yoshitaka Sakurada made the admission to a committee of lawmakers.

“Since I was 25 years old and independent I have instructed my staff and secretaries. I have never used a computer in my life,” he said, according to a translation by the Kyodo news agency.

The 68-year-old was appointed to his post last month.

His duties include overseeing cyber-defence preparations for the 2020 Olympic Games in Tokyo.

A politician from the opposition Democratic Party, Masato Imai, whose question had prompted the admission, expressed surprise.

“I find it unbelievable that someone who is responsible for cyber-security measures has never used a computer,” he said.

But Mr Sakurada responded that other officials had the necessary experience and he was confident there would not be a problem.

However, his struggle to answer a follow-up question about whether USB drives were in use at the country’s nuclear power stations caused further concern.

The disclosure has been much discussed on social media where the reaction has been a mix of astonishment and hilarity, with some noting that at least it should mean Mr Sakurada would be hard to hack.

https://www.bbc.com/news/technology-46222026

QNAP Warns of New DeadBolt Ransomware Attacks Exploiting Photo Station Flaw

/0 Comments/in , /by

QNAP has issued a new advisory urging users of its network-attached storage (NAS) devices to upgrade to the latest version of Photo Station following yet another wave of DeadBolt ransomware attacks in the wild by exploiting a zero-day flaw in the software.

The Taiwanese company said it detected the attacks on September 3 and that “the campaign appears to target QNAP NAS devices running Photo Station with internet exposure.”

 

The issue has been addressed in the following versions –

  • QTS 5.0.1: Photo Station 6.1.2 and later
  • QTS 5.0.0/4.5.x: Photo Station 6.0.22 and later
  • QTS 4.3.6: Photo Station 5.7.18 and later
  • QTS 4.3.3: Photo Station 5.4.15 and later
  • QTS 4.2.6: Photo Station 5.2.14 and later

Details of the flaw have been kept under wraps for now, but the company is advising users to disable port forwarding on the routers, prevent NAS devices from being accessible on the Internet, upgrade NAS firmware, apply strong passwords for user accounts, and take regular backups to prevent data loss.

The latest development marks the fifth round of DeadBolt attacks aimed at QNAP appliances since January 2022, followed by similar incursions in March, May, and June.

 

According to the latest stats compiled by Censys, a search engine for IoT devices and internet assets, DeadBolt has compromised around 17,813 devices as of September 5, with infections jumping from 7,748 on September 1 to reach a high of 19,029 on September 4.

A majority of the hacked devices are located in the U.S. (2,385), Germany (1,596), Italy (1,293), Taiwan (1,173), the U.K. (1,156), France (1,069), Hong Kong (995), Japan (962), Australia (684), and Canada (646).

“QNAP NAS should not be directly connected to the Internet,” the company said. “We recommend users to make use of the myQNAPcloud Link feature provided by QNAP, or enable the VPN service. This can effectively harden the NAS and decrease the chance of being attacked.”

 

Found this article interesting? Follow THN on FacebookTwitter ™ and LinkedIn to read more exclusive content we post.

 

https://thehackernews.com/2022/09/qnap-warns-of-new-deadbolt-ransomware.html

Crypto Trading Firm Wintermute Loses $160 Million in Hacking Incident

/0 Comments/in , /by

In what’s the latest crypto heist to target the decentralized finance (DeFi) space, hackers have stolen digital assets worth around $160 million from crypto trading firm Wintermute.

The hack involved a series of unauthorized transactions that transferred USD Coin, Binance USD, Tether USD, Wrapped ETH, and 66 other cryptocurrencies to the attacker’s wallet.

The company said that its centralized finance (CeFi) and over-the-counter (OTC) operations have not been impacted by the security incident. It did not disclose when the hack took place.

The digital asset market maker, which provides liquidity to more several exchanges and crypto platforms, warned of disruption to its services in the coming days, but stressed that it’s “solvent with twice over that amount in equity left.”

“We are (still) open to treat[ing] this as a white hat, so if you are the attacker – get in touch,” the company’s founder and CEO, Evgeny Gaevoy, said in a tweet.

Details surrounding the exact exploit method used to perpetuate the hack is unknown at the moment, although Gaevoy said the attack was likely caused by a “Profanity-type exploit” in its trading wallet.

Wintermute further acknowledged it did use Profanity, an Ethereum vanity address generation software, alongside an in-house tool to generate addresses with many zeros in front as recently as June.

The open-source project is currently abandoned by its anonymous maintainer, who goes by the moniker johguse, citing “fundamental security issues in the generation of private keys.”

Profanity, incidentally, also came under spotlight last week after decentralized exchange (DEX) aggregator 1inch Network disclosed a vulnerability that could be abused to recompute the private wallet keys from addresses created using the utility.

Subsequently, the attack vector was exploited by malicious actors to drain $3.3 million from Ethereum addresses made with Profanity on September 16, 2022.

The Wintermute breach is the latest attack on DeFi protocols, including that of Axie Infinity, Harmony Horizon Bridge, Nomad, and Curve.Finance in the past few months. Some of these thefts have been attributed to the North Korea-backed Lazarus Group.

According to a report from Bishop Fox published in May 2022, security incidents pummeling DeFi platforms resulted in losses to the tune of $1.8 billion in 2021 alone, with the services experiencing an average of five hacks per month.

“In most cases, the attack came from a vulnerability in Smart Contracts or in the very logic of the protocol,” the company noted. “Another important vector was the compromise of wallets and their private keys.”

https://thehackernews.com/2022/09/crypto-trading-firm-wintermute-loses.html

Cisco confirms hackers leaked stolen company data

/0 Comments/in , /by

Tech giant Cisco confirmed that data Yanluowang ransomware gang published on its leak site was stolen during the May cyberattack.

The company earlier said that it had suffered from a cyberattack in May. However, the admission came only after ransomware group Yanluowang published the list of stolen data on its website.

The group started posting the stolen data recently, a common tactic ransomware gangs employ to push victims into paying up.

“On September 11, 2022, the bad actors who previously published a list of file names from this security incident to the dark web, posted the actual contents of the same files to the same location on the dark web. The content of these files match what we already identified and disclosed,” Cisco said in a blog post.

A message on Yanluowang’s leak site, announcing Cisco’s data was published. Image by Cybernews.

However, the company tried to downplay the effect of the hack, adding that the incident had no impact on Cisco’s business, products, services, customer, or employee information.

However, the admission confirms that Cisco has joined Twilio and Cloudflare, who were both breached by the very cybercriminals they seek to defend against.

New kid on the block

Researchers first discovered the strain of Yanluowang malware targeting enterprises last October. Broadcom’s Symantec Threat Hunter Team got their hands on the malware after discovering an infected device.

The ransomware name Yanluowang refers to Yanluo Wang, a deity in Chinese religion and Taoism. The ominous deity is a judge in the underworld, passing judgment on the dead in their way to reincarnation or hell.

According to Symantec’s blog entry, researchers first spotted a suspicious use of AdFind, a legitimate command-line Active Directory query tool, on the victim’s internal networks.

The tool is a favorite of ransomware groups, as hackers can use it as a reconnaissance tool and equip the attackers with the resources they need for lateral movement.

After that, the ransomware encrypts files on the compromised computer and appends each file with the .yanluowang extension, finally dropping a ransom note named README.txt on the compromised computer.

Like many other ransomware notes, Yanluowang note warns victims not to contact law enforcement or ransomware negotiation firms.

Threat actors threaten that if the rules are broken, they will make a DDoS attack against the victim, simultaneously calling the victims’ employees and business partners.

https://cybernews.com/news/cisco-confirms-hackers-leaked-stolen-company-data/

How Criminals Attack the Building Blocks of the Internet

/0 Comments/in , /by

In the days of apps, web services, and cloud computing, where information and data are shared among many individual applications, APIs represent the building blocks. Without APIs, most company processes, especially across company borders, would not function properly. It’s therefore not a surprise that cyber criminals have identified APIs as one of the most lucrative targets when it comes to retrieving sensitive information. In an API security attack, the objective is mostly to exploit it for data or other malicious purposes.

There are many ways to attack API security. Some of the most common are SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF). Let’s have a look into each of those types of attacks and how you can prevent them.

  • SQL Injection

An SQL injection is a type of API security attack which targets databases. It works by the attacker inserting malicious code into an SQL statement in order to gain access to data or to alter it for their own purposes.

Preventing SQL injection attacks is relatively simple. The easiest way to do this is to use parameterized queries. This is where placeholders are used for dynamic values, and the actual values are supplied when the query is executed. This ensures that the dynamic values cannot be interpreted as SQL code.

  • Cross Site Scripting (XSS)

XSS is a similar type of attack, but instead of injecting malicious code into a database, XSS targets a web page or web application in order to steal user data or hijack their session. This is particularly dangerous since the user might be tricked into revealing sensitive information.

Some examples to prevent XSS include a web application firewall (WAF) that can detect and block XSS attacks. Another way is to use a content security policy (CSP) that can help prevent XSS attacks by specifying what content from what sources is allowed to be loaded by the browser.

  • Cross-Site-Request-Forgery (CSRF)

An attacker forces an end user to execute unwanted actions on a web application. CSRF attacks target state-changing requests, not theft of data. With social engineering, an attacker may trick users into executing actions of the attacker’s choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.

A good practice in preventing CSRF attacks is by including a token in all POST requests. The token should be unique to each user and should not be guessable. When a form is submitted, the token is compared to the one stored in the user’s session. If they don’t match, the request is rejected.

API security is critical

As can be seen from the examples above, API security is a critical issue for SMBs and enterprises that expose their API. Attacks on APIs can lead to data breaches, loss of customer trust, and reputation damage. Therefore, it is important to understand that these attacks can be prevented and mitigated.

Of course, depending on the specific details of the attack, there are various ways of mitigating the attack. However, some important which work for any attack and even protect your APIs better overall include:

  • Using encryption and authentication measures

A common way is to use HTTPS with SSL/TLS. This will protect all communication between the client and the server. You can also use a digital certificate to prove that the server is who it says it is.

  • Monitoring your API for suspicious activity
  1. Use a web application firewall (WAF) to monitor traffic and identify suspicious requests. However, be aware that WAFs require ongoing maintenance and regular updates.
  2. Use a log monitoring service to collect and analyze your API logs for anomalous activity.
  • Responding quickly to any incidents

Related:   Password, qwerty, 123456: Leaving bad habits behind on World Password Day

 

Cybersecurity is not only about detecting and identifying weaknesses and risks. Every organization needs to have a plan for what to do in case of an attack. This is also true for API attacks. Make sure you have a well-defined process in place to react to an incident.

  • Good API documentation

To make sure that your API is well-documented, you can use auto-generated documentation tools, write clear and concise comments in your source code, or use a consistent name for your API elements. A good documentation will also ensure that developers understand how to properly use it. As a result, the risk of an attack which happens due to a misconfiguration will also be significantly reduced.

  • Implementing rate limiting to prevent excessive or abusive requests

A good rate-limiting strategy for your API will depend on its specific needs and usage patterns. However, some common rate-limiting strategies include limiting the number of requests that can be made per unit of time, or per unit of data (e.g., per MB).

Protection can be achieved

As you can see, though APIs are increasingly attacked by cybercriminals, it’s pretty straightforward to prevent those attacks. Or at least make it as difficult as possible for the attacker. If you follow some basic principles in designing your API, both for the general development, but most importantly for some basic cybersecurity hygiene, you will go a long way in protecting your APIs. An online tool like the widget mentioned above will give you an even better security. We do recommend to establish solutions for business logic security testing into your development to ensure a smooth integration into your development processes. Besides that added layer of security, this will also make it easy for your developers to design their APIs securely right from the start – which, after all, is the best protection you can get.

BLST Security has made it possible to upload your JSON log file through an online widget and get results for free as shown in the following examples:

Uber’s ex-security chief faces landmark trial over data breach that hit 57m users

/0 Comments/in , /by

Joe Sullivan’s trial is believed to be the first case of an executive facing criminal charges over such a breach

The US district court in San Francisco will hear arguments on whether Joe Sullivan failed to properly disclose a 2016 breach. Photograph: Richard Drew/AP

Uber’s former security officer, Joe Sullivan, is standing trial this week in what is believed to be the first case of an executive facing criminal charges in relation to a data breach.

The US district court in San Francisco will start hearing arguments on whether Sullivan, the former head of security at the ride-share giant, failed to properly disclose a 2016 data breach affecting 57 million Uber riders and drivers around the world.

At a time when reports of ransomware attacks have surged and cybersecurity insurance premiums have risen, the case could set an important precedent regarding the culpability of US security staffers and executives for the way the companies they work for handle cybersecurity incidents.

The breach first came to light in November 2017, when Uber’s chief executive, Dara Khosrowshahi, revealed that hackers had gained access to the driver’s license numbers of 600,000 US Uber drivers as well as the names, email addresses and phone numbers of as many as 57 million Uber riders and drivers.

Public disclosures like Khosrowshahi’s are required by law in many US states, with most regulations mandating that the notification be made “in the most expedient time possible and without unreasonable delay”.

But Khosrowshahi’s announcement came with an admission: a whole year had passed since the information had been breached.

“You may be asking why we are just talking about this now, a year later,” Khosrowshahi said at the time, adding that the company had investigated the delay and had fired two executives who had led the response to the breach, one of whom was Sullivan.

Uber’s disclosure sparked several federal and statewide inquiries. In 2018, Uber paid $148m over its failure to disclose the data breach in a nationwide settlement with 50 state attorneys general. In 2019, the two hackers pleaded guilty to hacking Uber and then extorting Uber’s “bug bounty” security research program. In 2020, the Department of Justice filed criminal charges against Sullivan.

In court filings, federal prosecutors alleged that in an attempt to cover up the security violation, Sullivan had “instructed his team to keep knowledge of the 2016 Breach tightly controlled” and to treat the incident as part of the bug bounty program.

That program was intended to incentivize hackers and security researchers to report vulnerabilities in exchange for cash rewards, but it did not allow for “rewarding a hacker who had accessed and obtained personally identifiable information of users and drivers from Uber-controlled systems”, the complaint says.

The hackers in the 2016 breach were rewarded $100,000, the complaint says, more than any bounty the company had paid as part of the program until that point.

Sullivan also allegedly had the hackers sign a supplemental non-disclosure agreement (NDA) which “falsely represented that the hackers had not obtained or stored any data during their intrusion”, federal prosecutors wrote.

In 2018, months after he was fired, Sullivan contested any claims of a cover-up and said he was “surprised and disappointed when those who wanted to portray Uber in a negative light quickly suggested this was a cover-up”.

Neither Sullivan nor Uber immediately responded to a request for comment.

The justice department complaint alleged that only Sullivan and the former Uber chief executive Travis Kalanick had knowledge of the full extent of the hack as well as a role in the decision to treat it as an authorized disclosure through the bug bounty program. However, as the New York Times first reported, the security industry is divided over whether Sullivan deserves to be held solely responsible for the breach. Some have questioned whether the role of other company executives and its board should be investigated as well, while others say Sullivan’s role in it was clear.

“I don’t know if Uber management knew about the concealment … or if Sullivan was directed to make the $100,000 payment to hide the breach. The trial will ferret all that out,” Jamil Farshchi, the chief information security officer at Equifax, wrote in a Linkedin post. “What I do know is that nobody is disputing that a breach of 57 million people occurred, Uber concealed it, and that Joe Sullivan … was involved in the concealment.”

The trial will play out as reports of ransomware attacks continue to rise. In 2021, the US saw a more than 95% increase in ransomware attacks, according to the threat intelligence firm SonicWall. Many of those attackers have targeted healthcare facilities and schools. Hackers targeted the Los Angeles unified school district, the second-largest school district in the US, with a cyber-attack over Labor Day weekend.

… as you’re joining us today from India, we have a small favour to ask. Tens of millions have placed their trust in the Guardian’s fearless journalism since we started publishing 200 years ago, turning to us in moments of crisis, uncertainty, solidarity and hope. More than 1.5 million supporters, from 180 countries, now power us financially – keeping us open to all, and fiercely independent.

Unlike many others, the Guardian has no shareholders and no billionaire owner. Just the determination and passion to deliver high-impact global reporting, always free from commercial or political influence. Reporting like this is vital for democracy, for fairness and to demand better from the powerful.

And we provide all this for free, for everyone to read. We do this because we believe in information equality. Greater numbers of people can keep track of the events shaping our world, understand their impact on people and communities, and become inspired to take meaningful action. Millions can benefit from open access to quality, truthful news, regardless of their ability to pay for it.

Every contribution, however big or small, powers our journalism and sustains our future.

https://www.theguardian.com/technology/2022/sep/06/uber-joe-sullivan-trial-security-data-breach

U-Haul discloses data breach exposing customer driver licenses

/0 Comments/in , /by

Moving and storage giant U-Haul International (U-Haul) disclosed a data breach after a customer contract search tool was hacked to access customers’ names and driver’s license information.

Following an incident investigation started on July 12 after discovering the breach, the company found on August 1 that attackers accessed some customers’ rental contracts between November 5, 2021, and April 5, 2022.

“After an in-depth analysis, our investigation determined on September 7, 2022, the accessed information includes your name and driver’s license or state identification number,” U-Haul told affected customers in notification letters sent to impacted individuals on Friday.

The attacker accessed the U-Haul rental contracts search portal after compromising two “unique passwords.”

While it didn’t explain how the credentials were compromised, the company changed them after the breach was detected to block additional malicious activity.

U-Haul email and customer facing websites were not affected by this incident. We want to assure you that it is safe to conduct business with our company and there has been no impact to business operations. — U-Haul

No credit card info accessed by attackers

U-Haul added that no credit card information was accessed or acquired during the incident because the compromised search tool does not provide users with access to payment card information.

“The investigation determined an unauthorized person accessed the customer contract search tool and some customer contracts,” the moving giant said.

“None of our financial, payment processing or U-Haul email systems were involved; the access was limited to the customer contract search tool.”

U-Haul says it provides affected customers one year of free identity theft protection services through Equifax to help them detect when or if their personal information is misused.

The American moving truck, trailer, and self-storage rental company has a network of more than 23,000 locations across the U.S. and Canada.

It operates a fleet of roughly 186,000 trucks, 128,000 trailers, and 46,000 towing devices and is the third largest self-storage operator in North America.

https://www-bleepingcomputer-com.cdn.ampproject.org/c/s/www.bleepingcomputer.com/news/security/u-haul-discloses-data-breach-exposing-customer-driver-licenses/amp/

U.S. Seizes Cryptocurrency Worth $30 Million Stolen by North Korean Hackers

/0 Comments/in , /by

More than $30 million worth of cryptocurrency plundered by the North Korea-linked Lazarus Group from online video game Axie Infinity has been recovered, marking the first time digital assets stolen by the threat actor have been seized.

“The seizures represent approximately 10% of the total funds stolen from Axie Infinity (accounting for price differences between time stolen and seized), and demonstrate that it is becoming more difficult for bad actors to successfully cash out their ill-gotten crypto gains,” Erin Plante, senior director of investigations at Chainalysis, said.

The development arrives more than five months after the crypto hack resulted in the theft of $620 million from the decentralized finance (DeFi) platform Ronin Network, with the attackers laundering a majority of the proceeds – amounting to $455 million – through the Ethereum-based cryptocurrency tumbler Tornado Cash.

The March 2022 cryptocurrency heist resulted in losses totaling 173,600 ETH worth about $594 million at the time and $25.5 million in USDC stablecoin, making it the biggest cryptocurrency theft to date.

Although Tornado Cash has emerged as a popular tool for anonymizing virtual currency transactions, its abuse by malicious actors such as the Lazarus Group to cash out the illicitly obtained assets has landed it in the crosshairs of the U.S. government, which imposed sanctions against the service last month.

The blockchain analytics firm said that the blocklisting forced the adversary to move away from the mixer in favor of DeFi services such as crypto bridges to chain hop and move digital assets between chains in a bid to obscure the trail of funds.

“The hacker bridged ETH from the Ethereum blockchain to the BNB chain and then swapped that ETH for USDD, which was then bridged to the BitTorrent chain,” Plante said, detailing the switch between several different kinds of cryptocurrencies in a single transaction to launder the stolen funds.

The Lazarus Group is a prolific advanced persistent threat (APT) that’s driven by efforts to support North Korea’s operational goals, which comprises espionage and generating revenue for the sanctions-hit nation by striking financial institutions. Most of the cyber operations are conducted by elements within the Reconnaissance General Bureau.

The seizure also comes as six users of Tornado Cash, including Coinbase employees, filed a lawsuit this week against the U.S. Treasury Department, Treasury Secretary Janet Yellen, and other officials over their decision to slap sanctions on the platform.

The crypto recovery is also indicative of the headway U.S. authorities have made in their ability to track and seize illicit cryptocurrency funds from various cybercrimes. In late July, the Justice Department announced the seizure of $500,000 worth of Bitcoin from a North Korean hacking crew which extorted digital payments from healthcare facilities by using a new ransomware strain known as Maui.

https://thehackernews.com/2022/09/us-seizes-cryptocurrency-worth-30.html?

Nitrokod Crypto Miner Infected Over 111,000 Users with Copies of Popular Software

/0 Comments/in , /by

A Turkish-speaking entity called Nitrokod has been attributed to an active cryptocurrency mining campaign that involves impersonating a desktop application for shoppingmode Google Translate to infect over 111,000 victims in 11 countries since 2019.

“The malicious tools can be used by anyone,” Maya Horowitz, vice president of research at Check Point, said in a statement shared with The Hacker News. “They can be found by a simple web search, downloaded from a link, and installation is a simple double-click.”

The list of countries with victims includes the U.K., the U.S., Sri Lanka, Greece, Israel, Germany, Turkey, Cyprus, Australia, Mongolia, and Poland.

 

The campaign entails serving malware through free software hosted on popular sites such as Softpedia and Uptodown. But in an interesting tactic, the malware puts off its execution for weeks and separates its malicious activity from the downloaded fake software to avoid detection.

The installation of the infected program is followed by the deployment of an update executable to the disk that, in turn, kick-starts a four-stage attack sequence, with each dropper paving way for the next, until the actual malware is dropped in the seventh stage.

Upon execution of the malware, a connection to a remote command-and-control (C2) server is established to retrieve a configuration file to initiate the coin mining activity.

 

A notable aspect of the Nitrokod campaign is that the fake software offered for free are for services that do not have an official desktop version, such as Yandex Translate, shoppingmode Microsoft Translate, YouTube Music, MP3 Download Manager, and Pc Auto Shutdown.

Furthermore, the malware is dropped almost a month after the initial infection, by when the forensic trail is deleted, making it challenging to break down the attack and trace it back to the installer.

“What’s most interesting to me is the fact that the malicious software is so popular, yet went under the radar for so long,” Horowitz said. “The attacker can easily choose to alter the final payload of the attack, changing it from a crypto miner to, say, ransomware or banking trojan.”

https://thehackernews.com/2022/08/nitrokod-crypto-miner-infected-over.html?m=1